Key Takeaways
1. Security Flaws in Dating Apps: Serious security issues were found in five niche dating apps from M.A.D. Mobile, risking the exposure of private photos.
2. Unprotected Data Storage: User-uploaded images were stored in Google Cloud without encryption or password protection, making them accessible to anyone with the URL.
3. Risks of Privacy Breaches: The exposure of explicit images can lead to harassment, extortion, and reputational damage, especially for users of specialized dating apps.
4. Lack of Response from Company: M.A.D. Mobile did not initially respond to concerns about the leak, prompting Cybernews to publish their findings before the issue was resolved.
5. Caution with Unknown Apps: Users should avoid apps from unknown publishers and share sensitive media only on encrypted platforms that ensure user protection and accountability.
As part of a big investigation into security problems in iOS apps, Cybernews found serious issues that could have led to a huge leak of private photos from several niche dating apps, all linked to one company, M.A.D. Mobile. These images came not just from public profiles and posts, but also from user chats, including ones that were deleted by moderators. Many of these images were explicit.
Affected Apps
Five apps from M.A.D. Mobile were compromised – BDSM People, the luxury ‘sugar dating’ app Chica, and LGBT apps Pink, Brish, and Translovefound. All these applications used the same architecture and had critical security credentials left as plaintext in the app code. It was these secret keys that directed researchers to the Google Cloud Storage buckets where the photos were stored without any encryption or password protection. This setup meant that anyone who had the URL—made publicly available—could access the media.
Risks of Exposure
When private photos are exposed to potential malicious actors, it raises the risk of harassment, extortion, and damage to one’s reputation. The fallout from a privacy breach is likely to be much more severe for users of specialized dating apps, particularly in places where homosexuality is illegal.
The size of the leak is shocking—over 1.5 million user-uploaded photos, amounting to several hundred gigabytes of data. It’s somewhat reassuring that the exposed data did not include user identities, usernames, emails, or messages; however, a simple reverse image search could easily circumvent that protection. Notably, all five apps are exclusive to iOS, with no versions available for Android or the web.
Action Taken
Cybernews first contacted M.A.D. Mobile in January, but there was no response to the leak. Concerned about the lack of action from the company, and going against its usual practice, Cybernews opted to release a report on the issue before it was resolved. It wasn’t until the BBC reached out to the firm that a representative said the issue was indeed fixed, while thanking the researchers for their input.
This event underscores what many in the cybersecurity field are aware of: third-party iOS apps are not always safe from data leaks. In fact, Cybernews’ investigation revealed a concerning finding. Out of 156,000 apps examined (which is 8% of all apps on the Apple Store), 71% were found to be exposing at least one secret. On average, the code of each app revealed 5.2 secrets.
Key Takeaway
The most important lesson from this incident is that users ought to steer clear of apps from unknown publishers, especially when sharing sensitive information. Specifically, sensitive media should only be shared on encrypted platforms and services that provide a level of protection alongside public accountability.
Source:
Link
Leave a Reply